Solved: How to configure Splunk UF?

Shakeer_Spl · ‎01-16-2023

Splunk UF

Hi folks,
Seeking help I am new to splunk I am trying to configure splunk UF, I have two vm's both vm's installed windows 10 however both vm's are communicating with each other in one VM I installed Splunk enterprise and in another VM installed Splunk UF.. Assuming splunk enterprise VM is receiver and splunk UF VM is forwarder so I assigned splunk UF VM IP into splunk enterprise VM as a forwader with port 9997 ex: xx.xx.xxx:9997
Still not receiving any logs from UF vm I would like to know that procedure I am doing is it correct
Would be appreciate your kind support
Thanks in advance..

Shakeer_Spl · ‎01-18-2023

Thanks,

issue fixed there was problem with port 9997 reconfigured working fine.

View solution in original post

richgalloway · ‎01-16-2023

In Splunk Enterprise, go to Settings->Forwarding and Receiving and enable receiving on port 9997. No IP address assignments are necessary.

In the UF, configure the Splunk Enterprise address with the command

./splunk add forward-server <<ip address>>:9997

or edit /opt/splunk/etc/system/local/outputs.conf

[tcpout:group1]
server=<<ip address>>:9997

and restart the UF.

See https://docs.splunk.com/Documentation/Forwarder/9.0.3/Forwarder/Configuretheuniversalforwarder for more information about configuring the UF.

---
If this reply helps you, Karma would be appreciated.

Shakeer_Spl · ‎01-18-2023

Thanks,

issue fixed there was problem with port 9997 reconfigured working fine.

How to configure Splunk UF?

using Splunk Enterprise

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)